Introduction

All users make mistakes, but attackers also perform actions that the user interface doesn't offer or are impossible to do without using tools like intercepting proxies. The AppSensor concept describes how to make applications attack-aware.

AppSensor will:

Identify whether your application is under attack in real time

Optionally initiate an immediate response action to protect the application and its data

AppSensor does not:

Implement error handling for you (although detection points are often inherently linked with error handling code)

Perform application security logging (but logging mechanisms could be used to record detected events)

Protect you if you have existing vulnerabilities (fix known vulnerabilities and implement secure-SDLC activities to avoid new ones)

Where possible implement the recommendations in the other cheat sheets as thoroughly as possible first, before considering the ideas within AppSensor. Robust error handling mechanisms and security event logging should already be part of well designed quality software.

Purpose

Distribute detection points in the application to detect very suspicious and blatantly malicious use

Collect these event event data

Define a very low tolerance threshold, and take a predefined automated action once a user exceeds the limits of reasonable use

Pre-requisities

What to detect

It is very important not to make detection overly complex, and vital not to include events which could be triggered by normal, even accidental, behavior.

The most commonly implemented detection points are:

How to respond

Thresholds:

Typical responses, that the application may already support in some manner, are:

Change monitoring of the user (e.g. increase logging level)

Raise an alert

Add time delays

Log a user out (and possibly lock the account)

More advanced responses could include

Changing a function (adding a CAPTCHA, ??? )

Disabling a function (for the user, for a group of users, for all users)